CVE-2026-6993: Unintended Intermediary in go-kratos kratos
CVE-2026-6993 is a medium severity vulnerability in go-kratos kratos versions up to 2. 9. 2. It affects the NewServer function in the transport/http/server. go file, specifically the http. DefaultServeMux Fallback Handler, causing an unintended intermediary behavior. This flaw can be exploited remotely without authentication or user interaction. A patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d is available to fix the issue. No known exploits are reported in the wild at this time.
AI Analysis
Technical Summary
The vulnerability CVE-2026-6993 impacts go-kratos kratos versions 2.9.0 through 2.9.2. It arises from the NewServer function in the HTTP transport server component, where the http.DefaultServeMux Fallback Handler can be manipulated to cause unintended intermediary behavior. This could allow an attacker to interfere with request handling remotely without requiring privileges or user interaction. The issue has been publicly disclosed with an exploit available, and a patch commit has been identified to resolve the problem.
Potential Impact
An attacker can remotely exploit this vulnerability to cause unintended intermediary behavior in the HTTP request handling of go-kratos kratos servers running affected versions. This may lead to unexpected request routing or processing, potentially impacting application behavior or security. The CVSS 4.0 base score is 6.9 (medium severity), indicating a moderate impact without requiring privileges or user interaction.
Mitigation Recommendations
A patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d is available and should be applied to affected go-kratos kratos versions (up to 2.9.2) to remediate this vulnerability. Since the vendor advisory or official remediation level is not explicitly provided, users should verify the patch availability and apply it promptly. No alternative mitigations or vendor statements indicating no action required are present.
CVE-2026-6993: Unintended Intermediary in go-kratos kratos
Description
CVE-2026-6993 is a medium severity vulnerability in go-kratos kratos versions up to 2. 9. 2. It affects the NewServer function in the transport/http/server. go file, specifically the http. DefaultServeMux Fallback Handler, causing an unintended intermediary behavior. This flaw can be exploited remotely without authentication or user interaction. A patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d is available to fix the issue. No known exploits are reported in the wild at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-6993 impacts go-kratos kratos versions 2.9.0 through 2.9.2. It arises from the NewServer function in the HTTP transport server component, where the http.DefaultServeMux Fallback Handler can be manipulated to cause unintended intermediary behavior. This could allow an attacker to interfere with request handling remotely without requiring privileges or user interaction. The issue has been publicly disclosed with an exploit available, and a patch commit has been identified to resolve the problem.
Potential Impact
An attacker can remotely exploit this vulnerability to cause unintended intermediary behavior in the HTTP request handling of go-kratos kratos servers running affected versions. This may lead to unexpected request routing or processing, potentially impacting application behavior or security. The CVSS 4.0 base score is 6.9 (medium severity), indicating a moderate impact without requiring privileges or user interaction.
Mitigation Recommendations
A patch identified by commit 0284a5bcf92b5a7ee015300ce3051baf7ae4718d is available and should be applied to affected go-kratos kratos versions (up to 2.9.2) to remediate this vulnerability. Since the vendor advisory or official remediation level is not explicitly provided, users should verify the patch availability and apply it promptly. No alternative mitigations or vendor statements indicating no action required are present.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-24T19:43:37.550Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ed0d1987115cfb682ea5c6
Added to database: 4/25/2026, 6:51:05 PM
Last enriched: 4/25/2026, 7:06:02 PM
Last updated: 4/25/2026, 7:55:18 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.